07-12-2010 03:46 AM - edited 02-21-2020 04:43 PM
Hello all,
I have 2 ASAs, and connected between them with ipsec VPN.
one of ASA has SSLVPN for users to access its intranet resources.
but don't know how to access inside network on another ASA
my network architecture is below:
192.168.1.0/24 ---- ASA1 --- Internet --- ASA2 ---- 172.24.0.0/16
SSLVPN use 192.168.55.0/24 ip on outside interface
IPSec L2L VPN is established between ASA1 and ASA2
192.168.1.x could access 172.24.0.0/16 via NATing to ASA2's inside interface ip
But now I want 192.168.55.0/24 access 172.24.0.0/16, do some configure but not work...
Is there any suggestion?
Thanks a lot
Solved! Go to Solution.
07-30-2010 05:01 AM
hi the split tunnel you add for the ASA2 network should allow the vpn clients to send traffic through tunnel when they want to reach the remote subnet.
Can you add this too
access-list nonat_outside permit ip
nat( outside) 0 access-list nonat_outside
Also in the config you have not added the crypto acl entry for ASA1. that is from 192.168.55.0 to 172.24.0.0
See if that helps
07-12-2010 03:59 AM
There are a few things that needs to be configured:
1) On ASA1 - same-security-traffic permit intra-interface
2) On ASA1 - if you have split tunnel configured for the AnyConnect, you would need to include 172.24.0.0/16 in the split tunnel ACL
3) For the crypto ACL, you would need to add the ip pool subnet as follows:
-- On ASA1 - crypto ACL: permit ip 192.168.55.0 255.255.255.0 172.24.0.0 255.255.0.0
-- On ASA2 - crypto ACL: permit ip 172.24.0.0 255.255.0.0 192.168.55.0 255.255.255.0
4) On ASA2 - NAT exemption ACL should include: permit ip 172.24.0.0 255.255.0.0 192.168.55.0 255.255.255.0
Hope that helps.
07-29-2010 09:13 PM
Hello all,
it seems not work...
in the attachment are config files in ASA1 and ASA2
Since ASA1's SSLVPN users using 192.168.55.0/24 cannot route to 172.24.0.0/16
but ASA1's internal network users using 192.168.1.0/24 can route to 172.24.0.0/16
how could I do to make 192.168.55.0/24 route to 172.24.0.0/16 with ipsec L2L vpn established?
I got weird....orz
Thanks a lot
stephon
07-30-2010 05:01 AM
hi the split tunnel you add for the ASA2 network should allow the vpn clients to send traffic through tunnel when they want to reach the remote subnet.
Can you add this too
access-list nonat_outside permit ip
nat( outside) 0 access-list nonat_outside
Also in the config you have not added the crypto acl entry for ASA1. that is from 192.168.55.0 to 172.24.0.0
See if that helps
08-02-2010 08:54 AM
Hello all
I found that I didn't add VPN ip pool into crypto ACL before .....
now that works now
Thanks a lot
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide